Ubuntu
evolution package

Bug #232340
Comment #144

Comment 144 for bug 232340

Revision history for this message

In Mozilla Bugzilla #289077, Eddy-nigg (eddy-nigg) wrote on 2006-05-01:

#144

(In reply to comment #12)
>
> Some open questions:
>
> 1. Given the obvious possibility of StartCom's service being used to obtain
> free SSL certs for phishing sites, what is StartCom's strategy to deal with
> possible fraudulent use of the service? Is it limited to certificate revocation
> based on reports of possible fraud, or are other measures in place or planned?
>

The pricing policy of StartCom, and the fact that certain products and certificates
are provided free of chare, is not relevant to the question above. The validation
of certificates is a function of the controls, verification procedures and validation
in place, not the cost of the certificate.

Example: In the past we used to issue Class 2 certificates without charging any fees
(and we might do so again in the future). Did this change the validity of the
certificates issued? Or were the certificates issued according to a certain criteria
and procedure, in this case according to our definition of Class 2?

StartCom conforms or exceeds to the minimum requirements of the Mozilla CA
Certificate Policy section 7, even in the free Class 1 settings. So the question
about fraudulent use affects any Certification Authority which provides "so called"
domain validated certification and is not unique to StartCom.

With the exception of domain validation, StartCom has additional measures in place
to minimize the risk of misuse and fraud:

    * The StartCom CA and the process of certificate issuance are constantly
      monitored.
    * The process of certificate issuance may, under certain circumstances,
      be stopped manually or automatically. At that point, the request requires
      manual intervention and review by StartCom personnel.
      Additional information might be requested and any verification procedure
      implemented (Similar to Class 2 verification). Any certificate request in
      the Class 1 settings can get "flagged" for such a human review.
    * All certificate details are reviewed by StartCom personnel and additional
      information may be requested from the certificate holder. If in doubt,
      the certificate could get revoked immediately.
    * Random visits of the web sites are performed by StartCom to detect fraudulent
      sites.
    * Fraudulent websites, as well as sites that damage the reputation of the CA
      may be reported to the proper authorities and prosecuted to the full-extent
      of the law.

> 2. StartCom doesn't appear to have an official WebTrust seal. why?
>

A third party audit was performed by the "We! Consulting Group", which is a respected
solution and consulting provider in Israel, with great expertise in Public Key
Infrastructure solutions and renowned costumers. The audit performed was based on the
AICPA/CICA Webtrust for Certification Authorities Criteria and confirmed as such.
However the We! Consulting Group is not a licensed WebTrust provider.

> 3. CRL publication is on a 12-hour schedule. Is the OCSP responder's data from
> the CRLs (and thus might be up to 12 hours old) or is it more up-to-date?
>

In practice CRL's get updated every 12 hours or when a certificate is revoked,
especially when the revoked certificate is suspected to fall under any of the
following conditions. These include, but are not limited to (according to the
StartCom CA policy):

    * The subscriber’s private key is lost or suspected to be compromised
    * The information in the subscriber’s certificate is suspected to be inaccurate
    * The information supplied may be misleading (ex. paypa1.com, micr0soft.com)
    * The subject has failed to comply with the rules in this policy
    * The system to which the certificate has been issued has been retired
    * The subscriber makes a request for revocation
    * The subscriber violated his/her obligations

The OCSP responder checks for changes on the CRL's every ten minutes and reloads
all CRL's ever hour. Therefore OCSP responce of a revoked certificate is within
ten minutes the most.

> I'm opening up a period of public discussion of this request. I'll post on the
> mozilla.dev.tech.crypto newsgroup to start the discussion.

Hope this helps!

(In reply to comment #12)
> 
> Some open questions:
> 
> 1. Given the obvious possibility of StartCom's service being used to obtain
> free SSL certs for phishing sites, what is StartCom's strategy to deal with
> possible fraudulent use of the service? Is it limited to certificate revocation
> based on reports of possible fraud, or are other measures in place or planned?
>

The pricing policy of StartCom, and the fact that certain products and certificates 
are provided free of chare, is not relevant to the question above. The validation 
of certificates is a function of the controls, verification procedures and validation 
in place, not the cost of the certificate.

Example: In the past we used to issue Class 2 certificates without charging any fees 
(and we might do so again in the future). Did this change the validity of the 
certificates issued? Or were the certificates issued according to a certain criteria 
and procedure, in this case according to our definition of Class 2?

StartCom conforms or exceeds to the minimum requirements of the Mozilla CA 
Certificate Policy section 7, even in the free Class 1 settings. So the question 
about fraudulent use affects any Certification Authority which provides "so called" 
domain validated certification and is not unique to StartCom.

With the exception of domain validation, StartCom has additional measures in place 
to minimize the risk of misuse and fraud:

* The StartCom CA and the process of certificate issuance are constantly 
      monitored.
    * The process of certificate issuance may, under certain circumstances, 
      be stopped manually or automatically. At that point, the request requires 
      manual intervention and review by StartCom personnel.
      Additional information might be requested and any verification procedure 
      implemented (Similar to Class 2 verification). Any certificate request in 
      the Class 1 settings can get "flagged" for such a human review.
    * All certificate details are reviewed by StartCom personnel and additional
      information may be requested from the certificate holder. If in doubt, 
      the certificate could get revoked immediately.
    * Random visits of the web sites are performed by StartCom to detect fraudulent 
      sites.
    * Fraudulent websites, as well as sites that damage the reputation of the CA 
      may be reported to the proper authorities and prosecuted to the full-extent 
      of the law.

> 2. StartCom doesn't appear to have an official WebTrust seal. why?
>

A third party audit was performed by the "We! Consulting Group", which is a respected 
solution and consulting provider in Israel, with great expertise in Public Key 
Infrastructure solutions and renowned costumers. The audit performed was based on the 
AICPA/CICA Webtrust for Certification Authorities Criteria and confirmed as such.
However the We! Consulting Group is not a licensed WebTrust provider.

> 3. CRL publication is on a 12-hour schedule. Is the OCSP responder's data from
> the CRLs (and thus might be up to 12 hours old) or is it more up-to-date?
>

In practice CRL's get updated every 12 hours or when a certificate is revoked, 
especially when the revoked certificate is suspected to fall under any of the 
following conditions. These include, but are not limited to (according to the 
StartCom CA policy):

The OCSP responder checks for changes on the CRL's every ten minutes and reloads
all CRL's ever hour. Therefore OCSP responce of a revoked certificate is within
ten minutes the most.

> I'm opening up a period of public discussion of this request. I'll post on the
> mozilla.dev.tech.crypto newsgroup to start the discussion.

Hope this helps!

Ubuntuevolution package

Comment 144 for bug 232340

Ubuntu
evolution package